Shrinking Patch Timelines – The Need For HIPS
Monday January 19, 2009 at 5:42 am CST
Posted by Vinoo Thomas
Over the years, the window between exploit discovery to its incorporation into a worm candidate has shrunk from months, to weeks, to zero-day. This leaves administrators with very little time to schedule and deploy patches to all servers and workstations on their network. Virus authors, on the other hand, have been at the cutting edge for including exploit code in their creations whenever a critical vulnerability is reported. The chart below shows the time frame between a vulnerability being reported and how long it took for virus authors to incorporate it into a worm candidate.
The year 2007 was the only exception in recent times for a worm not exploiting any critical Microsoft vulnerability.
It’s easy for an outsider to criticize or pass judgment on a network that was hit with a zero-day worm. Spare a thought for the IT administrator; most do not have the flexibility to deploy patches immediately to the network for policy reasons. For example, the organization could be using legacy software, which could break if a new service pack was applied. And keeping these legacy applications running takes precedence over applying the latest Windows hot fixes. Most system administrators, who work in hospitals and other mission critical jobs, don’t have the luxury of doing a Windows update!
To add to these woes, every once in a while a hot fix from Microsoft breaks something in the operating system or adversely affects other applications. Once a patch is rolled out via WSUS (Windows Server Update Service) it cannot be rolled back centrally; a faulty patch from the vendor can prove costly for the organization. For these reasons administrators need more time to deploy these hot fixes in a test environment and QA them properly before deploying them to the enterprise.
So what can an administrator do in these circumstances? Relying solely on mainstream-antivirus desktop protection or firewall-style perimeter protection is insufficient to deal with today’s modern threats. The need of the hour is defense-in-depth. Administrators, who don’t have the luxury of applying patch updates, should seriously consider having a HIPS (host intrusion prevention system) installed on the end point to prevent exploit-based worm infections. Host intrusion prevention systems not only protect systems against zero-day vulnerabilities but also give administrators more time to test and deploy patches. The recent W32/Conficker.worm outbreaks could have been nipped in the bud if more organizations had chosen to protect their systems with HIPS.
January 19th, 2009 at 19:38
I think it would be more accurate to say that the chart doesn’t show the time from public vulnerability to worm development. It shows the time from public disclosure to public identification of the worm. Tools and techniques used by the AV industy have improved over the years. Coincidentally, the rapid identification of bots correlates fairly well to the honeynet project.
To further my point, Confickr/Downadup has only recently gained attention of the AV world. But estimates for it’s size range upwards of 8.9 million — which suggests to me that it’s spent some time in the wild before it was picked up.
At first glance, your chart appears to paint a bleak picture. I’d concede that bot developers have streamlined their tools and processes, but I think it’s more likely that the majority decrease in time to discovery reflects more the AV’s ability to detect bots.
January 20th, 2009 at 02:26
Well explicated true carks of Admins on every patch Tuesday
January 23rd, 2009 at 15:33
Why do people still run Windows at all?
We dumped it entirely nearly two years ago in favour of Kubuntu Linux. We are a small business. Just 8 machines. But many if them run 24/7 and are permanently on-line. Care to guess how many viruses, worms, trojans, spies, keyloggers etc we had in that time?
Zero!